ERROR: TLS Alert write:fatal:protocol version

L.P.H. van Belle belle at bazuin.nl
Thu Jul 1 12:10:40 CEST 2021 

These clients should upgrade the pc/os. 

I would say, 
Dont make "there" outdated computers your problem by lowering your security. 
Why waist your time om that.  

> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Christoph Litauer
> Verzonden: donderdag 1 juli 2021 12:08
> Aan: Freeradius-Users at lists.freeradius.org
> Onderwerp: ERROR: TLS Alert write:fatal:protocol version
> 
> Dear freeradius-users,
> 
> after googling, reading and debugging for about 3 days now, 
> maybe the community is able to help: Since moving our radius 
> to ubuntu 20.0.4 some of our users are not able to 
> authenticate using peap. The error message in radius.log is kind of
> 
> Mon Jun 28 16:02:17 2021 : ERROR: (370) eap_peap: ERROR: TLS 
> Alert write:fatal:protocol version
> Mon Jun 28 16:02:17 2021 : Error: tls: TLS_accept: Error in error
> Mon Jun 28 16:02:17 2021 : Auth: (370) Login incorrect 
> (eap_peap: TLS Alert write:fatal:protocol version): 
> [eduroam at uni-koblenz.de] (from client Unifi AccessPoints port 
> 0 cli ...
> 
> Most of these client seem to be very old (macOS El Capitan, 
> iOS 10.x) but not all of them. My suggestion is, that these 
> clients try to use TLS 1.0. So I excerpted a debug log with 
> freeradius -X (attached). Indeed I can see
> 
> (197) eap_peap: <<< recv TLS 1.3  [length 0062]
> (197) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal 
> protocol_version
> 
> So I changed the following lines in mods-enables/eap:
>         #       disable_tlsv1_2 = no
> #               disable_tlsv1_1 = yes
> #               disable_tlsv1 = yes
>                 tls_min_version = "1.0"
>                 tls_max_version = "1.2"
> 
> Restarted radius, but no change at all. Any help is greatly 
> appreciated! Thanks in advance!
> 
> --
> Kind regards
> Christoph
> _________________________________________
> Uni Koblenz, Computing Centre, Office A 022    
> Postfach 201602, 56016 Koblenz     
> Fon: +49 261 287-1311, Fax: -100 1311
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list